diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71adc4fd..be294a19 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,18 @@ JitPack continue to resolve through the existing coordinates.
`./mvnw -DskipTests -P japicmp verify -pl .`; HTML/MD/XML reports
land in `target/japicmp/`. JitPack repository is scoped to the
`japicmp` profile, so downstream consumers do not inherit it.
+- **GPG signing in the `release` profile** (Track D2). Adds
+ `maven-gpg-plugin` 3.2.7 to the existing `release` profile, binding
+ to the `verify` phase to sign main / sources / javadoc / pom
+ artefacts — Maven Central rejects unsigned uploads. **Off by
+ default**: a new property `true` keeps local
+ `mvn -P release package` runs working without a configured GPG key.
+ The publish workflow (Track D4) flips it explicitly with
+ `-Dgpg.skip=false` once the `MAVEN_GPG_PRIVATE_KEY` and
+ `MAVEN_GPG_PASSPHRASE` secrets are wired. `gpgArguments` declares
+ `--pinentry-mode loopback` so non-interactive CI runs accept the
+ passphrase from `-Dgpg.passphrase` / `MAVEN_GPG_PASSPHRASE` without
+ needing a TTY for `gpg-agent`.
- **`release` Maven profile with sources + javadoc jars** (Track D1).
Activated with `-P release`, attaches `*-sources.jar` and
`*-javadoc.jar` to the `package` phase via the standard
diff --git a/pom.xml b/pom.xml
index 3bb82c36..3a2da5b2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -67,6 +67,7 @@
3.15.0
3.5.0
+ 3.2.7
3.12.0
3.3.1
3.5.5
@@ -78,6 +79,14 @@
0.23.1
v1.6.5
+
+
+ true
@@ -508,6 +517,44 @@
+
+
+ org.apache.maven.plugins
+ maven-gpg-plugin
+ ${maven.gpg.plugin.version}
+
+
+ sign-artifacts
+ verify
+
+ sign
+
+
+ ${gpg.skip}
+
+ --pinentry-mode
+ loopback
+
+
+
+
+